Developer-Ready Infrastructure: NSX and Pivotal

Organizations across industries are embarking on their journey of Digital Transformation. Time-to-market has become very crucial to the bottom-line and companies need to accelerate their application/services delivery and go from concept to production in record time.

Organizations are embracing containers, micro-service based architectures, Continuous Delivery and Integration tools as they are completely trying to change how they develop, deploy and deliver applications.

However, moving from monolith application architectures to microservices-based ones is no ordinary feat.

Many of these organizations leverage Pivotal’s expertise to deliver a modern application development environment. Pivotal’s flagship cloud-native platform Pivotal Cloud Foundry provides a modern app-centric environment that lets developers focus on delivering applications with speed and frequency of delivery. To find out more about Pivotal Cloud Foundry, and the now generally available Pivotal Cloud Foundry 1.10.

Pivotal Cloud Foundry abstracts the underlying IaaS layer so that developers get a modern self-service application development environment, without worrying about the infrastructure. BOSH vSphere CPI plugin does a good job of consuming pre-created networks.

However, the truth is – “someone” always needs to do some provisioning – networks need to be carved out, load-balancers need to be configured, NAT rules need to be defined, reachability needs to be configured and security controls need to be enabled. This process must be repeated every time a new PaaS platform is stood up.

Once a PaaS platform is up and running, visibility needs to be provided for monitoring and operations purposes. If an application is reported unreachable by application monitoring dashboards, the operators need to determine where the app is running and if the underlying infrastructure is healthy. Additionally, the PaaS platform needs to co-exist with legacy workloads.

For companies that choose innovation over the status quo, developer-ready infrastructure results in better products and services, delivered faster than ever to customers, while continuing to meet operational goals of cost, security and reliability. Combining VMware’s container-native infrastructure with Pivotal’s cloud-native application platform enables developers to ship the right software, faster and more frequently by eliminating the drag of traditional operational concerns, delays and extra code to guard against infrastructure issues. IT operators get software-based compute, storage, networking and operational tooling optimized for microservices-based application workloads running in containers.

The VMware ecosystem has been playing a big part in digital transformation for quite some time now. VMware has led the journey to enable IT transformation on the compute side with VMware ESX and is now leading network virtualization with the VMware NSX network virtualization and security platform.

VMware NSX provides customers the same agility and automation to network and security infrastructure that Pivotal provides for applications. Here’s how:

NETWORK AUTOMATION

NSX provisions networks and services without touching the physical infrastructure. Whenever a new Pivotal foundation needs to be stood up, operators run a custom script, which provisions virtual networks and the services, needed on-demand. Cookie-Cutter Repeatability – Automate once, use multiple times to stand up multiple foundations. Need overlapping IP addresses? No problem…enable NSX’s NAT service for each foundation.

NSX has a rich set of REST APIs as well as high level libraries available for Python (PyNSXv) as well as Powershell (PowerNSX) users.

NETWORK SECURITY

NSX provides two types of firewalls – Edge Firewall which is a perimeter firewall to secure N/S traffic as well as Distributed Firewall which focuses on securing E-W traffic. NSX Edge firewall can be used to secure ingress/egress into each PCF foundation. Rules can be crafted as per security controls required by the organization as shown in the figure below.

NSX also has a distributed firewall which is enforced right at the vNIC interface of the VM. NSX advanced features like Application Rule Manager can be used for Flow Analysis within a Pivotal Environment and define micro-segmentation policies based on those flow patterns. More information on Application Rule Manager can be found here.

BOSH created VMs can be dynamically included in pre-defined NSX Security Groups using the BOSH/NSX integration. More details on how to dynamically include BOSH VMs in NSX Security Groups can be found here.

We are also working closely with the Pivotal team on tighter integration of NSX Security Groups with Pivotal Ops Manager. Stay tuned for more details.

CO-EXISTENCE WITH NON-PCF WORKLOADS

Enterprises already have existing workloads running in their data center and want each Pivotal Foundation to co-exist as a tenant in their existing infrastructure. The following NSX design enables each PCF foundation to exist as a tenant in the customer’s infrastructure. Some features of this design are:

Two Tier ECMP Design with provider NSX Edges peering with the physical infrastructure.

Tenant Edge for each PCF installation which connects to the Provider Edges. Tenant Edge is deployed with HA enabled.

NAT is enabled on each PCF tenant edge and the PCF installation behind the Edge can use non-router overlapping IP space.

Load-balancer and Perimeter firewalls are also configured to control ingress/egress to the Pivotal Environment.

Zero-touch onboarding of new tenants without touching the physical infrastructure.

VISIBILITY AND MONITORING

NSX and its surrounding vSphere ecosystem provides the tools for operationalizing a Pivotal Cloud Foundry installation. The same tools that are used to monitor IaaS like vRealize Suite and vRealize Network Insight can also be used for monitoring the PaaS platforms as well.

For vRealize Suite, we have the Pivotal Cloud Foundry Management Pack for vRealize Operations and vRealize Log Insight. This management pack unlocks key metrics and data to gives essential visibility into Cloud Foundry infrastructure. More details can be found here.

With vRealize Network Insight, operators get 360o visibility across virtual and physical networks. Below is an example of the vRealize Network Insight flow analysis capabilities in action, analyzing the flow posture of a Pivotal Elastic Runtime environment.

We have a number of customers running Pivotal Cloud Foundry and NSX today. With the release of Isolation Segments in Pivotal 1.10, customers will be able to provide dedicated pools of resources on which apps can be deployed to isolate workloads. Isolation segments can be used to segregate resources for different applications for regulatory, performance, billing or other reasons. NSX Security Groups can be used with Isolation Segments to further strengthen the security posture of these app segments.